X.509 support in WCF Exploring support for X.509 Certificates in Microsoft’s Windows Communication Foundation Paul Cormier UCCS CS591 Fall 2009

12/8/2009Paul Cormier - X.509 Support in WCF 2 Right to the point… WCF allows you to specify a service Certificate with which it will use to decrypt SOAP messages sent from clients, and to sign messages sent to clients. It allows you to accept a client Certificate with which it will use to encrypt SOAP messages sent to clients and read signatures on SOAP messages sent from clients.

12/8/2009Paul Cormier - X.509 Support in WCF 3 WCF allows you to specify transport level protocol such as HTTPS (TLS/SSL), and the service Certificate that it uses to send SOAP messages in this manner. WCF allows you to specify that a client Certificate to be used for Identification and provides an Identity support class. WCF allows you to specify how Certificates should be trusted, either by its inclusion in your certificate store, chain trust in the CA signature or either.

12/8/2009Paul Cormier - X.509 Support in WCF 4 Certificate Validation, including support for custom validation. WCF allows you to set up a Hybrid Public/Symmetric key ‘conversation.’.Net Framework includes an entire namespace to support X.509 Certificates: System.Security.Cryptography.X509Certificates

12/8/2009Paul Cormier - X.509 Support in WCF 5 Overview 1.What is WCF 2.X.509 is standard specifying a Public Key Infrastructure (PKI). 3.Three certificates (CA, Service, Client) 4.WCF ABCs. 5.WCF Authentication, Authorization, Transfer Security, Identity Management 6.Example

12/8/2009Paul Cormier - X.509 Support in WCF 6 What is WCF Microsoft.Net framework API that unifies many existing standards: WS-Addressing, WS-ReliableMessaging, WS-Security etc. Uses SOAP messages Supports a number of different protocols Compatible with non-Microsoft web services and clients Service Oriented Architecture A WCF Service is composed of Service class, hosting environment and one or more Endpoints

12/8/2009Paul Cormier - X.509 Support in WCF 7 Endpoint = ABC Address (where is service) Binding (how do I talk to it) WSHttpBinding Contract (what can it do) [ServiceContract] [DataContract] [OperationContract] [FaultContract]

12/8/2009Paul Cormier - X.509 Support in WCF 8 WCF Authentication (who) Who are you (client, server)? Authentication Types: None, Windows authentication, Username and Password, X.509 Certificate, Issued Token, Custom For Certificate, the local Cert Store is checked. IIdentity interface.

12/8/2009Paul Cormier - X.509 Support in WCF 9 WCF Authorization (what) What does the client have access to do? Windows Groups (default) ASP.Net Membership provider (SQL Server) WCF provides IPrincipal interface and some implementing classes.

12/8/2009Paul Cormier - X.509 Support in WCF 10 WCF Transfer Security (how) How are messages secured while in transit? Transfer Security types: None, Transport, Message, Mixed, Both Message: end to end, slower, more complicated Transport: fast, hop-to-hop

12/8/2009Paul Cormier - X.509 Support in WCF 11 Identity Management The identity under which the code is ran. Can be mixed (calling user, id that service is running as) Special internal IIdentity class for X.509 Certificate Identity stored in IPrincipal implementation.

12/8/2009Paul Cormier - X.509 Support in WCF 12 B2B Example

12/8/2009Paul Cormier - X.509 Support in WCF 13 References Lowy, Juval; Programming WCF Services, Oreilly Improving Web Services Security, Scenarios and Implementation Guidance for WCF, Patterns and Practices series (WcfSecurityGuide.pdf), Microsoft Web Service Security; Scenarios, Patterns and Implementation Guidance for Web Services Enhancements (WSE) 3.0, Patterns and Practices series (MS_WSS_Dec_05.pdf), Microsoft Bustamante, Michele Leroux; Fundamentals of WCF Security; magazine.com/article.aspx?quickid= http:// magazine.com/article.aspx?quickid= Also… Wikipedia, various MSDN articles.